Full Report
The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI, which is named the bypass GuardFall, found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, "Continue," was built to
Analysis Summary
# Vulnerability: GuardFall Shell Injection Bypass in AI Coding Agents
## CVE Details
- **CVE ID**: N/A (Described as a "class of problems" and a "dangerous convention" rather than a single software bug; however, tracked in specific tool issues such as Hermes-Agent Issue #36846)
- **CVSS Score**: N/A (High Severity impact)
- **CWE**: CWE-78 (OS Command Injection), CWE-184 (Incomplete List of Disallowed Elements)
## Affected Systems
- **Products**: Major open-source AI coding and computer-use agents, including:
- opencode
- Goose
- Cline
- Roo-Code
- Aider
- Plandex
- Open Interpreter
- OpenHands
- SWE-agent
- Hermes project
- **Versions**: Various (Reported as affecting 10 out of 11 popular tools as of May/June 2026)
- **Configurations**: Systems running with auto-execute flags enabled (`--auto-exec`, `--auto-run`), sandbox environments disabled, or agents running with full user account privileges.
## Vulnerability Description
GuardFall is a bypass technique that exploits a discrepancy between how AI agents filter commands and how the operating system's shell (e.g., Bash) executes them.
Most agents use a "blocklist" approach, checking command strings for dangerous patterns (like `rm`) as plain text. However, shells perform command-line expansion and quote removal before execution. An attacker can use shell tricks (e.g., `r''m` or `r""m`) that do not match the agent's text-based filters but are interpreted as the intended dangerous command by the shell. This allows for Command Injection through boobytrapped repositories, documentation, or build files.
## Exploitation
- **Status**: PoC available (Demonstrated by Adversa AI in lab environments; no known exploitation in the wild).
- **Complexity**: Low (Uses decades-old shell techniques).
- **Attack Vector**: Network/Local (Triggered by directing an agent to interact with a malicious repository or configuration file).
## Impact
- **Confidentiality**: High (Can steal SSH keys, cloud credentials, and sensitive files).
- **Integrity**: High (Can modify source code, overwrite files, or clear logs).
- **Availability**: High (Can delete entire directories or system files via `rm`).
## Remediation
### Patches
- **Continue**: Already implements a robust defense by tokenizing commands and checking against an allow/block list after shell-like parsing.
- **Other Agents**: Users should check the specific GitHub repositories (e.g., `https[:]//github[.]com/NousResearch/hermes-agent/issues/36846`) for individual tool updates.
### Workarounds
- **Disable Auto-Execution**: Turn off flags such as `--auto-exec`, `--auto-run`, or `dangerously-skip-permissions`.
- **Restrict Environment**: Point the `$HOME` environment variable to a throwaway/empty directory to protect `~/.ssh` and `~/.aws`.
- **Sanitize Input**: Do not point agents at untrusted pull requests from forks or unverified repositories.
- **Config Awareness**: Treat agent-specific config files (e.g., `.aider.conf.yml`) as executable code.
## Detection
- **Indicators of Compromise**: Presence of unexpected shell syntax in agent logs (e.g., commands containing empty quotes `''`, base64 piping, or unusual `find`/`dd` flags).
- **Detection Methods**: Audit agent logs for commands that deviate from typical coding tasks; monitor for unusual outbound network traffic or access to credential stores originating from AI agent processes.
## References
- **Adversa AI Research**: `https[:]//adversa[.]ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability/`
- **The Hacker News Article**: `https[:]//thehackernews[.]com/2026/06/guardfall-exposes-open-source-ai-coding.html`
- **Hermes Agent Issue Tracker**: `https[:]//github[.]com/NousResearch/hermes-agent/issues/36846`